Simplistic X11 logins not working.. (newbie questions)

Erik Fichtner emf at obfuscation.org
Mon May 31 19:08:33 UTC 2004


So.  I've got vanilla FC2 with SELinux loaded and the standard
policy sources loaded on my laptop.   For various reasons (low memory
and a general dislike for all things GNOME; primarily), I'm trying to
make good old xdm work and start boring old twm.     This requires a
little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab.
No big deal here.
 
As packaged, the policy sets up xdm running as system_u:system_r:xdm_t.
This starts a copy of X which is transitioned into
system_u:system_r:xdm_xserver_t.   Then there's a display ":0" sitting
around on a third pid running as system_u:system_r:xdm_t.    Fine. 

Logging in as my user (which results in a nice clean emf:user_r:user_t
on the console) launches a twm as system_u:system_r:xdm_t, and then
when I attempt to run an Xterm; i get the following avc denies:

avc: denied { read write } for pid=3793 exe=/usr/bin/xterm name=ptmx dev=hda2 ino=134859 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:ptmx_t tclass=chr_file

avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir
avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir

and xterm promptly exits since it can't get a pty, and everything is 
still running as system_r:xdm_t; the real issue here.

/etc/security/default_contexts does have an entry for:
system_r:xdm_t	staff_r:staff_t user_r:user_t sysadm_r:sysadm_t

I even tried changing that to read:
system_r:xdm_t	user_r:user_t


At this point, I started flailing around a little bit and created an
Xwm.{te|fc} pair:

type Xwm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(xdm_t,Xwm_exec_t,user_t)

/usr/X11R6/bin/twm	system_u:object_r:Xwm_exec_t

reloaded the policy, and relabelled twm.  Alles gut, ya?  Nein!


Now, when xdm->Xsession fires off twm, i get this:

security_compute_sid: invalid context system_u:system_r:user_t for scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:Xwm_exec_t tclass=process

and twm exits.  Clearly, that wasn't the answer.



So..... Questions are:

1)  why doesn't default_contexts appear to have any influence upon xdm? 
1a)	is there a way to force it?

2)  what am I supposed to do to get my window manager and its children
    into user_r:user_t ?

Thanks in advance...

-- 
Erik Fichtner; Unix Ronin



More information about the fedora-selinux-list mailing list